Proposal (Was: When are and aren't two URLs the same?)

Johannes Ernst jernst+lists.danga.com at netmesh.us
Mon Apr 24 18:24:04 UTC 2006 

On Apr 24, 2006, at 10:59, Jonathan Daugherty wrote:

> # In this particular example, the IDP implemented its own equivalence
> # policy -- "URL must be the same, character for character". And it
> # didn't work because the RP implemented its own equivalence policy
> # that was different from the IDP's, which was "port 80 may be
> # specified, it's still the same URL".
>
> This was in fact a bug in our consumer's fetcher.  This is definitely
> a case where the RP's behavior is what's questionable.  I hope this
> won't be the case very often. :)

I think this particular case is exactly what is going to happen quite  
frequently as people write more and maintain and integrate and extend  
Yadis-related code. Somebody, when writing code, made a reasonable  
assumption, that a URL may or may not contain port 80.

It's a bug in that it created interop problems -- but it isn't a bug  
in that the assumption was reasonable. The real bug was that we  
didn't define which assumptions were valid and which weren't, which  
is where I'm trying to get us to ...

> # In the extreme case, this opens up a huge security hole. If the RP
> # defines URL1 and URL2 to be equivalent, but the IDP does not, then
> # the user owning URL2 can very easily impersonate user with URL1 at
> # the RP -- because RP does not distinguish the two!
>
> But in this case, there won't be a user with URL1 and a user with
> URL2; if they're equivalent, only one user will have both (technically
> the user will have one or the other, but be able to use either).

Only if the IDP makes them equivalent. If the IDP doesn't and the RP  
does, we're in trouble. The worst case would be that 99% of the  
world's IDPs agree with the RP's equivalence policy, and one didn't.  
It would be a very long time until somebody found that security hole.

Which seems to also argue that we test the equivalence policy, not  
merely define it. But one thing at a time. Can we first agree on what  
the equivalence policy should be? Again, I'm fine with any, as long  
as it is defined. ;-)


Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
Url : http://lists.danga.com/pipermail/yadis/attachments/20060424/c30f8f0a/lid.gif
-------------- next part --------------
  http://netmesh.info/jernst

More information about the yadis mailing list